Revocation Bitmap 2022
This specification describes an on-Tangle mechanism for publishing the revocation status of Verifiable Credentials embedded in an issuer's DID document.
Revocation gives an issuer the capability to invalidate a credential they issued before its natural expiration date. To achieve this, issuers can embed an identifier in the
credentialStatus field of a credential. Verifiers can then lookup that identifier in a separate list, to check whether the credential is still valid. This document specifies a mechanism of embedding such a list, in form of a bitmap, in the DID document of the issuer, where each bitmap index corresponds to a credential they have issued. This mechanism is space-efficient and enables a verifier to check a credential's status in a privacy-preserving manner and without requiring additional lookups or external resources.
Revocation Bitmap Concept
The revocation status of a verifiable credential is expressed as a binary value. The issuer keeps a bitmap of indices corresponding to verifiable credentials they have issued. If the binary value of the index in the bitmap is 1 (one), the verifiable credential is revoked, if it is 0 (zero) it is not revoked.
Revocation Bitmap Status
For an issuer to enable verifiers to check the status of a verifiable credential, the
credentialStatus property MUST be specified with the following properties:
|The constraints on the |
An example of a verifiable credential with a
credentialStatus of type
"type": ["VerifiableCredential", "UniversityDegreeCredential"],
"degree": "Bachelor of Science and Arts",
Revocation Bitmap Service
|The constraints on the |
An example of an issuer's DID document where credential
"5" in the
#revocation service is revoked:
The following algorithms define how to generate, expand and validate revocation bitmaps.
Service Endpoint Generation Algorithm
The following process MUST be followed when producing a
RevocationBitmap2022 to embed in a service endpoint:
- Let bitmap be a roaring bitmap where each bit is initialized to 0.
- For each revoked credential with an index not exceeding an unsigned, 32-bit integer, set the corresponding bit in bitmap at index to 1.
- Generate the bitmap serialization according to the roaring bitmap serialization format using the bitmap as input.
- Generate a compressed bitmap by using the ZLIB compression algorithm [RFC 1950] on the bitmap serialization and base64-encoding [RFC4648] the result.
- Create the service endpoint by embedding the compressed bitmap in a data URL [RFC2397]. On the data url, the
base64attribute MUST be set.
- Return the service endpoint.
Service Endpoint Expansion Algorithm
The following process MUST be followed when expanding the endpoint from a service of type
- Let service endpoint be a data url generated using the service endpoint generation algorithm.
<mediatype>of the service endpoint MUST be
base64attribute MUST be set, return an error otherwise. Let compressed bitmap be the
<data>part of the data url.
- Generate an uncompressed bitmap by base64-decoding [RFC4648] the compressed bitmap and then decompressing the result using ZLIB [RFC 1950].
- Generate the bitmap by deserializing the uncompressed bitmap according to the roaring bitmap serialization format.
- Return the bitmap.
The following steps MUST be followed when checking whether a verifiable credential is revoked:
- Let credential be a verifiable credential containing a
- Let revocation bitmap URL be the
idfield of the credential's
- Resolve the revocation bitmap URL to a revocation bitmap service in the issuer's DID document, and verify that the service
RevocationBitmap2022. Return an error otherwise.
- Expand the endpoint of the revocation bitmap service into a revocation bitmap according to the service endpoint expansion algorithm.
- Let revocation index be the integer value of the
revocationBitmapIndexproperty contained in the
credentialStatusof the credential.
- Let revoked be the value of the bit at index revocation index in the revocation bitmap.
trueif revoked is 1,
This section provides test vectors to validate implementations against.
Test Vector 1
The following data URL decodes to a bitmap of length 0 where no index is revoked:
Test Vector 2
The following data URL decodes to a bitmap of length 3 where indices
67000 are revoked:
Test Vector 3
The following data URL decodes to a bitmap of length 16384 where all indices are revoked:
This section describes the rationale behind some of the design decisions of this specification.
Compression and maximum size
Considering that messages published to the Tangle cannot exceed 32 KiB in size, and that larger messages have increased requirements, the use of compression was assessed. The precise size of a serialized bitmap varies based on the number and distribution of revoked indices. When indices are revoked uniformly randomly, roughly 100,000 - 200,000 can be achieved in a DID Document with compression, and significantly more if consecutive indices are revoked.
ZLIB [RFC 1950] was chosen for having a free and open source software licence and being one of the most widely used compression schemes, which enhances the accessibility of this specification. Some other assessed algorithms produced only marginally better compression ratios but had far fewer existing implementations across different programming languages.
Compressed Bitstring vs. Roaring Bitmap
Because of its space efficiency, a roaring bitmap is preferred for representing a bitmap in-memory. To avoid the dependency on roaring bitmap, we considered using a compressed bitstring as the serialization format. However, serialization of such a bitstring was 2-3x slower compared to roaring's serialization format, which becomes an issue on resource-constrained devices (e.g. smartphones) or in web browsers.
The RevocationList2020 specification and StatusList2021 specification both describe a similar revocation mechanism using a verifiable credential that contains a bitmap, similar to the
RevocationBitmap2022 approach. The credential is hosted outside of the DID document and the verifier thus needs to fetch it from an external resource, likely one controlled by the issuer. This has privacy implications as the issuer can track where a fetch request for the credential came from and potentially infer who the credential was verified by and for what purpose. The issuer can also potentially infer which credential was checked. Because
RevocationBitmap2022 is embedded in the issuer's DID document, which can be obtained without the their knowledge, this approach does not suffer from these privacy shortcomings. See also the privacy considerations.
A downside of embedding the revocation list in the DID document is that storage in a distributed ledger (DLT) is usually more expensive than other storage hosting solutions. The DLT might also impose message size limitations, capping the total number of revocations that can be done (see also compression).
Another difference is that
RevocationList2020 specifies a minimum initial size of 131,072 for its bitstring, to mitigate the potential for correlating individuals when few credentials have been issued.
RevocationBitmap2022 uses a roaring bitmap instead of a bitstring, so the maximum size is not fixed (apart from the upper bound of an unsigned 32-bit integer). This means the bitmap cannot be used to correlate small populations without more information not present in the bitmap itself. However, both schemes still reveal publicly how many credentials have been revoked, which could be used to infer other information if more knowledge about how an issuer assigns credential revocation indexes is known.
StatusList2021 allows for explicitly stating the purpose of the list, currently either revocation or suspension. This specification does not mandate that revoked credentials cannot be unrevoked, which means a
RevocationBitmap2022 can effectively also be used as a suspension list.
Because the revocation bitmap is embedded in the DID document, and thus available without contacting the issuer directly, the issuer cannot correlate how a holder uses their credential.
An observer finding a service of type
RevocationBitmap2022 in a DID document can infer that this DID belongs to an issuer. However, DIDs of issuers tend to be publicly known, in contrast to DIDs of other entities, so this is unlikely to present an issue. External observers can monitor the frequency of revocations and potentially the total number of issued credentials, depending on how the issuer assigns credential indices (e.g. starting from 0 and incrementing the index for each issued credential).